The Payment Card Industry Data Security Standard (PCI DSS) defines standards for ensuring the protection of cardholder data in computer transactions. These standards apply to all entities that store, process, or transmit cardholder data. For example, a merchant that accepts or processes payment cards must comply with the PCI DSS. The primary goal of the PCI DSS is to protect cardholder data wherever it is processed, stored, or transmitted.
One portion of the PCI DSS, known as the Payment Application DSS (PA DSS), defines standards for third party payment software applications. For example, the PA DSS would govern an application that receives user input of a credit card number or other payment information on a computing device. The PA DSS requires compliance when cardholder data (e.g. primary account number, cardholder name, expiration date, service code, PIN, magnetic strip data, etc.) is stored, processed, or transmitted by the application.
To comply with the PA DSS, applications that receive, store, or transmit cardholder data must be configured to perform various functions (e.g. encryption) on the cardholder data. Performing these functions requires substantial computing resources. Many computing devices have sufficient resources to adequately support such applications.
However, some computing devices, such as mobile devices, either have limited computing resources or lack other security features that make it much more difficult to provide a PA DSS compliant application on such devices. For example, although many smart phones/apps can be configured to accept payment information in a PA DSS compliant manner, it is difficult, costly, and relatively less secure to do so. For this reason, relatively few mobile applications/platforms are certified as PA DSS compliant.
To address this issue, one workaround is being commonly implemented. Mobile applications such as Square (provided by Square, Inc.) or GoPayment (provided by Intuit, Inc.) use a mobile card reader (which is generally plugged in to the earphone jack) that scans a payment card and encrypts the cardholder data before transmitting it to the mobile phone. Because the cardholder data is encrypted before it is transferred to the phone, and therefore never stored on the phone in an unencrypted format, the application running on the phone does not need to comply with the PA DSS. This approach works, but is often less desirable because it requires a separate card reader and requires that a card be physically scanned.